Accessing private repositories from docker

nodejs
docker
npm

#1

Hi there.

I’m looking into whether CircleCi would be the right solution for use in my company.
I’m building out a new service using docker and nodejs.
The issue I’m running into is that when I’m building my docker image the nodejs project requires access to a private repository and as a result fails during the npm install.
Other than checking in a ssh key (would never), what else can I do to get past this?

Thanks


#2

The issue I’m running into is that when I’m building my docker image the nodejs project requires access to a private repository and as a result fails during the npm install.

Other than checking in a ssh key (would never), what else can I do to get past this?

Using an SSH key is the best solution. You do not check it into your repo, instead you can add it to the keys in the CircleCI UI or via GitHub and it will be injected into the container when it is started. This is the same way that we currently do checkouts from private GitHub repos.

If your private registry support HTTP authentication or loading creds from a file you can also store the credentials as environment variables.


#3

I have used the CircleCi UI to add keys to the project but they do not seem to propagate to the docker host.
I have added both a user key and a deploy key in the "checkout ssh keys:. I have also added a private key under “ssh permissions”. I still find the docker image unable to find the dependency. What am I doing wrong/misunderstanding?

Thanks


#4

When you say docker image, what are you referring to? CircleCI builds happen in LXC not docker, all of your keys will be on the LXC container during the build. If you are making a Docker image as a part of the build process you need to insert the keys into it manually.


#5

I’m making a docker image as part of the build process on CircleCi. How do I add the key manually without checking it in with my source code?


#6

So am I correct in assuming that this is not possible?


#7

You can always use ssh-forwarding by setting up an ssh-agent beforehand. It’s the least tricky way of doing that with docker, unless you’re ok cloning through https, in which case you can pass tokens easily.


#8

Hey @atyz. It’s been awhile but why have a doc on private npm modules now: https://circleci.com/docs/npm-private-module-dependency/

Not sure if this helps or not. The envars can be passed into Docker and this can be done from a Docker command.


#9

The way I got around this was copying the rsa token from circleci into the docker container:

# In the circle.yml
cp ${HOME}/.ssh/id_circleci_github id_rsa

and then I have a copy command in my docker file

copy id_rsa /root/.ssh/

#10

Wouldn’t this require you checking the token into your github repository?


#11

no, it is the token that circle ci uses to checkout the project. the token gets placed into the docker image, for the build process, and then at the end of the build it is deleted so that it doesn’t live in the final docker image.

The one caveat is that the github account associated with the deployment key needs to have read access to all of the private github repos that build needs.


#12